File name:	RFQ Request For Quotation.exe
Full analysis:	https://app.any.run/tasks/7d29ca1b-5316-483c-938a-8208552a32ec
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	July 16, 2019, 23:43:22
OS:	Windows 10 Professional (build: 16299, 32 bit)
Tags:	stealer trojan SecurityXploded
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D06E763D1C6B7E6E01C237EDB03752E0
SHA1:	0A6B74F43F476AE0DBB31C3D982A2046763ED5D0
SHA256:	D94ACE8C997D1EC1F05F05D7EA41882CD0255F078C96C175B61CEBDC66E613BE
SSDEEP:	24576:j0BG9gGUvH+uO4H4444CUjBbxTJL9z+FBn0+glXWELlhvrSoPsmnnygW9l9l:j0PGAeP4H4444CgbxTrY0tFWELl/PsqK

.exe	\|	Win32 Executable MS Visual C++ (generic) (30.9)
.exe	\|	Win64 Executable (generic) (27.3)
.exe	\|	UPX compressed Win32 Executable (26.8)
.dll	\|	Win32 Dynamic Link Library (generic) (6.5)
.exe	\|	Win32 Executable (generic) (4.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:07:16 19:19:51+02:00
PEType:	PE32
LinkerVersion:	6
CodeSize:	241664
InitializedDataSize:	131072
UninitializedDataSize:	-
EntryPoint:	0x2f9df
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	16-Jul-2013 17:19:51
Detected languages:	English - United States

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000E0

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	16-Jul-2013 17:19:51
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0003A2EA	0x0003B000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.50844
.rdata	0x0003C000	0x00008FE8	0x00009000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.22595
.data	0x00045000	0x00016FD8	0x00013000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.19436
.rsrc	0x0005C000	0x00010FBC	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	1.41883

Title	Entropy	Size	Codepage	Language	Type
1	1.318	67624	UNKNOWN	English - United States	RT_ICON
7	2.31894	86	UNKNOWN	English - United States	RT_STRING
109	1.79879	16	UNKNOWN	English - United States	RT_ACCELERATOR
129	3.57295	592	UNKNOWN	English - United States	RT_DIALOG
130	3.37305	340	UNKNOWN	English - United States	RT_DIALOG
139	3.11873	148	UNKNOWN	English - United States	RT_DIALOG
140	3.26439	216	UNKNOWN	English - United States	RT_DIALOG
201	1.98048	20	UNKNOWN	English - United States	RT_GROUP_ICON


(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:
(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\WScript.exe.FriendlyAppName
Value: Microsoft ® Windows Based Script Host
(PID) Process:	(3960) RFQ Request For Quotation.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\WScript.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(3528) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3528) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3528) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

PID	Process	Filename		Type
452	adobepdf.exe	C:\Users\admin\AppData\Local\Temp\Login Data		—
		MD5:—	SHA256:—
2864	cmd.exe	C:\Users\admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\555.555		—
		MD5:—	SHA256:—
2864	cmd.exe	C:\Users\admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\444.444		—
		MD5:—	SHA256:—
3960	RFQ Request For Quotation.exe	C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobel.vbs		text
		MD5:—	SHA256:—
3960	RFQ Request For Quotation.exe	C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobepdf2.exe		executable
		MD5:—	SHA256:—
3960	RFQ Request For Quotation.exe	C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adob02.bat		text
		MD5:—	SHA256:—
3912	xcopy.exe	C:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adobepdf.exe		executable
		MD5:—	SHA256:—
3960	RFQ Request For Quotation.exe	C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobepdf.exe		executable
		MD5:—	SHA256:—
3960	RFQ Request For Quotation.exe	C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobe01.bat		text
		MD5:—	SHA256:—
3960	RFQ Request For Quotation.exe	C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\ancp.exe		executable
		MD5:—	SHA256:—


ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.90.23.215:443	login.live.com	Microsoft Corporation	US	unknown
—	—	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
3416	ancp.exe	198.23.57.8:21	ftp.freehostia.com	Steadfast	US	malicious
3416	ancp.exe	198.23.57.8:33189	ftp.freehostia.com	Steadfast	US	malicious
508	ancp.exe	198.23.57.8:21	ftp.freehostia.com	Steadfast	US	malicious
508	ancp.exe	198.23.57.8:33441	ftp.freehostia.com	Steadfast	US	malicious

Domain	IP	Reputation
login.live.com	40.90.23.215 40.90.23.235 40.90.23.247	whitelisted
self.events.data.microsoft.com	52.114.88.29 52.114.74.45 52.114.74.43	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
ftp.freehostia.com	198.23.57.8	malicious
nexusrules.officeapps.live.com	52.109.124.20 52.109.8.20	whitelisted
config.edge.skype.com	13.107.3.128	malicious

PID	Process	Class	Message
3416	ancp.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
3416	ancp.exe	A Network Trojan was detected	MALWARE [PTsecurity] SecurityXploded BrowserPasswordDump
508	ancp.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
508	ancp.exe	A Network Trojan was detected	MALWARE [PTsecurity] PSWTool.SecurityXploded used by Stealer.Separ for Exfiltration
508	ancp.exe	A Network Trojan was detected	MALWARE [PTsecurity] PSWTool.SecurityXploded used by Stealer.Separ for Exfiltration

General Info

RFQ Request For Quotation.exe

D06E763D1C6B7E6E01C237EDB03752E0

0A6B74F43F476AE0DBB31C3D982A2046763ED5D0

D94ACE8C997D1EC1F05F05D7EA41882CD0255F078C96C175B61CEBDC66E613BE

24576:j0BG9gGUvH+uO4H4444CUjBbxTJL9z+FBn0+glXWELlhvrSoPsmnnygW9l9l:j0PGAeP4H4444CgbxTrY0tFWELl/PsqK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Detected SecurityXploded stealer

Stealing of credential data

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Starts CMD.EXE for commands execution

Executes scripts

Executed via COM

Uses ATTRIB.EXE to modify file attributes

Uses IPCONFIG.EXE to discover IP address

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings